Summary

Currently when a signature scheme constraint is specified with "jdk.tls.disabledAlgorithms" property we don't differentiate between signatures used to sign a TLS handshake exchange and the signatures used in TLS certificates: https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3 We need to implement a mechanism to disable signature schemes based on their TLS scope.

Problem

The current syntax of the jdk.tls.disabledAlgorithms security property doesn't allow to disable algorithms based on their TLS scope, i.e. their application inside the TLS protocol. For example, if you add "rsa_pkcs1_sha1" to the jdk.tls.disabledAlgorithms security property, it disables specified signature scheme to be used for both: handshake signing and certificate signing.

Solution

Implement a mechanism to disable signature schemes based on their TLS scope.

Specification

The definition of the jdk.tls.disabledAlgorithms security property in the java.security file will be updated to describe new functionality. The following text will be added to the definition:

 - TLS protocol specific usage constraints are supported by this property:

   UsageConstraint:
       usage UsageType { UsageType }

   UsageType:
       HandshakeSignature | CertificateSignature

   HandshakeSignature restricts the use of the algorithm in TLS handshake
   signatures. CertificateSignature restricts the use of the algorithm in
   certificate signatures. An algorithm with this constraint cannot include
   other usage types defined in the jdk.certpath.disabledAlgorithms
   property. The usage type follows the keyword and more than one usage type
   can be specified with a whitespace delimiter.
   Example: "rsa_pkcs1_sha1 usage HandshakeSignature"